Bug 2312524 (CVE-2024-8553)

Summary: CVE-2024-8553 foreman: Read-only access to entire DB from templates
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, ehelms, ggainey, juwatts, mhulan, nmoumoul, osousa, pcreech, rchan, security-response-team, smallamp
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Foreman's loader macros introduced with report templates. These macros may allow an authenticated user with permissions to view and create templates to read any field from Foreman's database. By using specific strings in the loader macros, users can bypass permissions and access sensitive information.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2024-12-06   

Description OSIDB Bzimport 2024-09-16 07:39:15 UTC 
An issue in templates related to loader macros which were introduced together with report templates. These allow an authenticated user having permission to view any of the resources which have loader macros and permissions to view and create (probably) any kind of templates that allows this user to read any field from Foreman's database by passing in strings to the loader macros and remapping fields from the result to the original object class.

Refer: https://github.com/theforeman/foreman/blob/da504c8a2599b325853066b5099493e0c
Comment 3 errata-xmlrpc 2024-10-31 18:45:59 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2024:8717 https://access.redhat.com/errata/RHSA-2024:8717
Comment 4 errata-xmlrpc 2024-10-31 18:46:35 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2024:8718 https://access.redhat.com/errata/RHSA-2024:8718
Comment 5 errata-xmlrpc 2024-10-31 18:47:12 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:8719 https://access.redhat.com/errata/RHSA-2024:8719
Comment 6 errata-xmlrpc 2024-11-05 17:25:12 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2024:8906 https://access.redhat.com/errata/RHSA-2024:8906